Application Xo. 10 600,683 
Amendment "F" dated January 9, 2009 
Reply to Office Action mailed July 09, 2008 

REMARKS 

The Office Action, mailed July 9, 2008, considered and rejected claims 30-45. Claim 38 
was objected to under 37 CFR 1.75(c), as being of improper dependent form for failing to further 
limit the subject matter of a previous claim. Claims 30-45 were rejected under 35 U.S.C. § 1 12, 
first paragraph, as failing to comply with the written description requirement. Claims 30-45 
were rejected under 35 U.S.C. § 112, second paragraph, as being indefinite for failing to 
particularly point out and distinctly claim the subject matter which applicant regards as the 
invention. Claims 30-45 were rejected under 35 U.S.C. § 103(a) as being unpatentable over 
Razmov ("Practical Automated Filter Generation to Explicitly Enforce Implicit Input 
Assumptions") in view of CERT ("Malicious HTML Tags Embedded in Clients Web Requests" 
and "Understanding Malicious Content Mitigation for Web Developers") and Fielding (RFC 
2616). 1 

1. Objections to the Specification 

With regard to the specification, the Office has noted that "wherein examining the HTTP 
request for script constructs consists of examining only HTML elements where user input is 
introduced" has no antecedent basis in the specification. Applicant respectfully submits that this 
objection is moot inasmuch as the claim amendments no longer recite the full phrase objected to 
by the Office. 

With respect to the objection to the specification based on "finding a script construct 
within a particular HTML element" Applicant respectfully traverses. In particular, \ 29 of the 
originally filed application notes that "[t]he present invention not only searches for typical script 
constructs such as angle brackets, but also for script constructs or markers of active content that 
are only harmful when rendered inside of particular HTML elements." The obvious 
consequence, as noted in the same paragraph, when such a script construct is present, it is found 
within that particular HTML element. 



1 Although the prior art status of the cited art is not being challenged at this time, Applicant reserves the right to challenge the 
prior art status of the cited art at any appropriate tune, should it arise. Accordingly, any arguments and amendments made herein 
should not be construed as acquiescing to any prior art status of the cited art. 

Claim amendments made herein are supported by the original application, including at least the disclosure in paragraphs 7, 8, 22, 
24, 25, 28, and 29 of the original application. 
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With respect to the objection to the specification based on "further comprising encoding 
user input to render the script construct inert", Applicant notes that the specification has been 
amended. Specifically, 7 has been amended to include a direct reference to the rendering of the 
script inert. No new matter is introduced as such was expressly included in at least claim 15 of 
the originally filed application. 

With respect to objections based on "further comprising encoding user input to render the 
script construct inert" and "examining only the request for dynamic content in the form of the 
embedded link and other HTML elements where user input is introduced." As neither phrase is 
found in the amended claims, the objection is therefore moot. 

2. Drawings 

With respect to the objection to the drawings, Applicant respectfully traverses. In 
particular, while 37 C.F.R. § 1.83(a) notes that drawings must show every feature of the 
invention specified in the claims, 37 C.F.R. § 1.81(a) also notes that drawings need only be 
submitted where necessary for the understanding of the subject matter sought to be patented. 
Applicant respectfully submits that inasmuch as 37 C.F.R. § 1.83(a) and 37 C.F.R. § 1.81(a) are 
therefore in conflict, the only requirement is that when drawings are necessary to understand the 
subject matter sought, they must include every feature of the invention. Applicant respectfully 
submits that no such requirement is necessary here as one skilled in the art could easily 
understand the subject matter of the pending claims even without additional or amended 
drawings. 

3. Claim Objections 

Claim 38 has been cancelled, thereby rendering the objection thereto overcome. 

4. Rejections under 35 U.S.C. § 112, first paragraph 

As noted above, claims 30-45 were rejected as failing to comply with the written 
description requirement. The sole basis for such rejection appears to be the elements recited in 
the objection to the specification. Accordingly, inasmuch as such objection has been addressed 
above, Applicant respectfully submits that the rejection under 35 U.S.C. § 112, first paragraph, 
ahs been overcome for at least the same reasons. 
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Additionally, Applicant notes that the Office has failed to satisfy its burden in proving a 
prima facie case of lack of compliance with the written description requirement. In particular, 
M.P.E.P. 2163.04 notes that the burden is on the Office with regard to the written description 
requirement. As part of that burden, the office "must set forth express findings of fact which 
support the lack of written description conclusion." Further, when setting forth these express 
findings, they should: (I) identify the claim limitation at issue; and (II) establish a prima facie 
case of obviousness by providing reasons why one skilled in the art at the time the application 
was filed would not have recognized the inventor was in possession of the invention as claimed 
in view of the disclosure of the application as filed. Notably, a simple statement that Applicant 
has not pointed out where the new/amended claim is supported and there does not appear to be a 
written description of an identified claim limitation may be sufficient where the support is not 
apparent and Applicant has not pointed out where the claim limitation is supported. 

In this regard, Applicant notes that the Office only generally alleges "Applicant has not 
pointed out where the new (or amended) claim is supported, nor does there appear to be a written 
description of the claim limitations in the application as filed." Such an assertion is clear error. 
In particular, Applicant's prior response specifically pointed out where the new claims were 
supported. Indeed, the prior response pointed to support in paragraphs 7, 8, 15, 16, 18, 21, 22, 
24-28, 30 and 31 or the originally filed application, as well as in the original claims and figures. 
As Applicant expressly pointed out the support, the Office's general allegation is therefore 
insufficient to provide the specific reasons why one skilled in the art would not have recognized 
Applicant possessed the claimed invention. 

Applicant further notes with particular regard to the claim elements relating to rendering 
of a script construct inert, that the original application specifically included claims directed to the 
same subject matter. Inasmuch as the original claims form part of the original disclosure, the 
claims therefore necessarily also provide support to advise the person skilled in the art that, at the 
time of the invention, Applicant possessed the claimed invention. 

5. Rejections under 35 U.S.C. § 112, second paragraph 

Claims 30-45 were also rejected as being indefinite for the use of the phrase "only HTML 
elements where user input is introduced." As this phrase is no longer recited in the claims, 
Applicant respectfully submits the rejection is overcome. 
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Claims 32 and 37 have also been amended to render the rejections thereto overcome. 

With respect to the rejection of claim 40, Applicant has not amended the claim inasmuch 
as "error the event" is not found within claim 40, or within any of the pending claims as best 
Applicant can tell. Applicant respectfully submits that such a rejection was in error and 
withdrawal thereof is requested. 

6. Rejections under 35 U.S.C. § 103 

As reflected in the above claim listing, Applicant's claims generally relate to methods 
and computer program products for mitigating cross-site scripting attacks of a third party against 
responses served from a web server to a user computer. As recited in claim 30, for example, an 
exemplary method includes receiving an HTTP request at the web server. The HTTP request 
was sent by the user computer and requests a response, which response includes text and HTML 
elements. Before the request is dynamically rendered, a script module of the server examines the 
HTTP request for script constructs identified in an updateable list of markers of active content 
that is stored at the web server. Such examination consists of examining elements where user 
input is introduced. A script construct is then found within a particular HTML element and, in 
response, an error is generated and the HTML request aborted. The user computer is then 
informed of the find and requested to resubmit a request. Claim 44 recites a similar method as 
being capable of performance due to is storage on a computer-readable medium of a computer 
program product. Claim 45 also recites a similar method in which the found script construct is in 
an embedded link. 

With respect to the art of record, Applicant notes that Razmov generally relates to a 
filtering system that automates filter generation based on assumptions about inputs to 
applications. In particular, Razmov describes an application-based filtering system in which an 
application's input is intercepted and routed to a filtering script. The script parses the input into 
parameters and then tests assumptions on them. Based on the outcome, the filtering script may 
pass the input on to the application or may drop the input and write to an error log. (Section 3). 

Notably, the only information received by the intercepting module and then filtered is the 
input data for the application. Significantly, any information received by the application may 
therefore be input, regardless of whether generated by a user, some other application, a third 
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party, etc. In other words, Razmov expressly includes a system in which all input, regardless of 
whether it is user input is filtered. 

As the input is all extracted into parameters and each extracted parameter is tested, 
Razmov thus teaches a system in which all of the input to the server is filtered. In contrast, the 
pending claims recite a system in which an HTTP request is examined for script constructs by 
examining only the portions of the request where user input is introduced. Such recitation is 
evident inasmuch as the claims recite that examining consists of examining those portions where 
user input is introduced. As Razmov thus teaches to apply the filter to all input, without regard to 
whether input is user input, it therefore teaches away from the recited invention which examines 
only portions where user input is introduced. 

Furthermore, when Razmov is combined with the other art of record, there is no teaching 
or reasonable support for contradicting the teachings of Razmov and testing only user input. For 
example, CERT discloses that all dynamic content is filtered, apparently without regard to 
whether the input is from a server, user, outside source, application, etc. Thus, CERT merely 
reinforces the teachings of Razmov that all input, regardless of source, is filtered. Fielding is 
also no more instructive. Specifically, Fielding describes the general HTTP 1.1 protocol. In 
which minimal filtering or examination is performed, and has no filtering with respect to finding 
script constructs. Indeed, section 10 of Fielding, which is the only portion relied upon by the 
Office, notes that error messages may be created when a client computer has erred (e.g., 
improper syntax, conflict with other resources, forbidden actions, etc.). Notably, nothing in 
these or other sections appears to recite or support limiting scanning of a request or input to only 
user input portions. 

Accordingly, the cited art, whether cited alone or in combination, is all directed to 
searching/filtering a request or input. When considered in combination, the art merely discloses 
filtering, but has no disclosure or support for filtering only a subset of information, much less a 
subset that includes only user input. 

In view of the foregoing, Applicant respectfully submits that the other rejections to the 
claims are now moot and do not, therefore, need to be addressed individually at this time. It will 
be appreciated, however, that this should not be construed as Applicant acquiescing to any of the 
purported teachings or assertions made in the last action regarding the cited art or the pending 
application, including any official notice. Instead, Applicant reserves the right to challenge any 
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of the purported teachings or assertions made in the last action at any appropriate time in the 
future, should the need arise. Furthermore, to the extent that the Examiner has relied on any 
Official Notice, explicitly or implicitly, Applicant specifically requests that the Examiner 
provide references supporting the teachings officially noticed, as well as the required motivation 
or suggestion to combine the relied upon notice with the other art of record. 

In the event that the Examiner finds remaining impediment to a prompt allowance of this 
application that may be clarified through a telephone interview, the Examiner is requested to 
contact the undersigned attorney at (801) 533-9800. 

Dated this 9 th day of January, 2008. 

Respectfully submitted, 

/Colby C. Nuttall, Reg. # 58,146/ 

COLBY C. NUTTALL 
Registration No. 58,146 
RICK D. NYDEGGER 
Registration No. 28,651 
Attorneys for Applicant 
Customer No. 047973 
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